CN105868632A - Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) - Google Patents
Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) Download PDFInfo
- Publication number
- CN105868632A CN105868632A CN201610247825.2A CN201610247825A CN105868632A CN 105868632 A CN105868632 A CN 105868632A CN 201610247825 A CN201610247825 A CN 201610247825A CN 105868632 A CN105868632 A CN 105868632A
- Authority
- CN
- China
- Prior art keywords
- program
- function
- target program
- dhcp
- process path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a method and a device for intercepting and releasing DHCP, wherein when a call request of a target program to a first function is detected, whether the call request is a request for releasing DHCP (dynamic host configuration protocol) by calling the first function is judged, when the judgment result is yes, a process path of the target program is obtained, whether the target program is a malicious program is judged according to the obtained process path, and when the judgment result is yes, the first function is not called and executed. In the embodiment of the invention, when the calling request of the target program to the first function is detected to be the request for releasing the Dynamic Host Configuration Protocol (DHCP), whether the target program is a malicious program is determined by acquiring the process path of the target program sending the calling request, and if so, the first function is not called and executed, so that the first function does not send a DHCP releasing message to the subsystem any more, the interception of DHCP network breaking of the malicious program release is realized, and the damage of the malicious program to the system safety is avoided.
Description
Technical field
The present invention relates to technical field of system security, particularly relate to a kind of intercept release DHCP method and
Device.
Background technology
Along with the rogue programs such as Internet technology development, virus and wooden horse emerge in an endless stream.Checking and killing virus is soft at present
Part is the killing software that can be networked to server, when killing rogue program, except using local virus library
Outward, also need networking just to can determine whether whether some new class unknown file are rogue program, therefore network for virus
For killing software particularly significant, if suspension, checking and killing virus software will be unable to identification and do not exists in local sick
Virus in poison storehouse.
Therefore, the network of checking and killing virus software can first be broken before doing malicious act by the most indivedual rogue programs
Open, thus, the defence of checking and killing virus software can be walked around easily, destroy the safety of system.Rogue program is normal
The method making network disconnect be releasing dynamic host configuration protocol DHCP, after releasing DHCP, sick
Poison killing software will be unable to networking, and rogue program can destroy security of system.Therefore, one is needed badly for evil
Meaning program utilizes the hold-up interception method of release DHCP suspension.
Summary of the invention
The purpose of the embodiment of the present invention is to provide a kind of method and device intercepting release DHCP, to realize
Interception to rogue program release DHCP suspension.Concrete technical scheme is as follows:
A kind of method intercepting release DHCP, described method includes:
When target program being detected to the call request of the first function, it is judged that whether described call request is logical
Cross the request calling described first function with releasing dynamic host configuration protocol DHCP, wherein, described first
Function is for utilizing LPC LPC to send the letter of message to the subsystem performing release DHCP
Number;
When judged result is for being, obtain the process path of described target program;
According to acquired process path, it is judged that whether described target program is rogue program;
When judged result is for being, never call described first function of execution.
Optionally, the process path acquired in described basis, it is judged that whether described target program is rogue program
Afterwards, described method also includes:
When judged result is no, call described first function of execution.
Optionally, described judge whether described call request is by calling described first function with release dynamics
The request of host configuration DHCP, including:
Judge in described call request that whether the port handle of transmission is handle and the transmission of DHCP port
Whether message data is the field value about release DHCP, if it is, show that described call request is for passing through
Call the request with releasing dynamic host configuration protocol DHCP of described first function.
Optionally, the target program call request to the first function is detected according to hook mode.
Optionally, the process path of the described target program of described acquisition, including:
Call PsGetCurrentProcessId function and ZwQueryInformationProces function, obtain institute
State the process path of target program.
Optionally, the process path acquired in described basis, it is judged that whether described target program is rogue program,
Including:
Acquired process path is sent to file killing engine;
Receive the file killing engine type according to the target program of acquired process path feedback;
Type according to received target program determines whether described target program is rogue program.
Optionally, the type of the target program received by described basis determines whether described target program is evil
Meaning program, including:
Whether the type of the target program received by judgement is unknown program type or dangerous Program Type;
If it is, determine that described target program is rogue program.
Optionally, the process path acquired in described basis, it is judged that whether described target program is rogue program,
Including:
According to acquired process path, call GetFileInfoVersion function and obtain the program of target program
Source-information;
Determine whether described target program is rogue program according to acquired program source-information.
A kind of device intercepting release DHCP, described device includes:
Request judge module, for when detecting target program to the call request of the first function, it is judged that institute
State whether call request is by calling described first function asking with releasing dynamic host configuration protocol DHCP
Asking, wherein, described first function is for utilizing LPC LPC to the son performing release DHCP
System sends the function of message;
Process path acquisition module, for judge described call request as by call described first function with
In the case of the request of releasing dynamic host configuration protocol DHCP, obtain the process path of described target program;
Rogue program judge module, for according to acquired process path, it is judged that whether described target program
For rogue program;
First processing module, in the case of judging that described target program is rogue program, never calling
Perform described first function.
Optionally, described device also includes:
Second processing module, for when according to acquired process path, it is judged that described target program is not to dislike
In the case of meaning program, call described first function of execution.
Optionally, described request judge module, specifically for:
When target program being detected to the call request of the first function, it is judged that transmission in described call request
Whether port handle is the handle of DHCP port and whether the message data of transmission is about release DHCP
Field value, if it is, show that described call request is for by calling described first function with release dynamics master
The request of machine configuration protocol DHCP, wherein, described first function is for being used for utilizing LPC to performing release
The subsystem of DHCP sends the function of message.
Optionally, the target program call request to the first function is detected according to hook mode.
Optionally, described process path acquisition module, specifically for:
Judging that described call request is as by calling described first function with releasing dynamic host configuration protocol
In the case of the request of DHCP, call PsGetCurrentProcessId function and
ZwQueryInformationProces function, obtains the process path of described target program.
Optionally, described rogue program judge module, including:
Transmitting element, for being sent to file killing engine by acquired process path;
Receive unit, for receiving the file killing engine target program according to acquired process path feedback
Type;
First determines unit, for determining that described target program is according to the type of received target program
No for rogue program.
Optionally, described first determines unit, specifically for:
Whether the type of the target program received by judgement is unknown program type or dangerous Program Type;
If it is, determine that described target program is rogue program.
Optionally, described rogue program judge module, including:
Source-information acquiring unit, for according to acquired process path, calls GetFileInfoVersion
Function obtains the program source-information of target program;
Second determines unit, for determining that whether described target program is according to acquired program source-information
Rogue program.
In the embodiment of the present invention, detecting that target program is release dynamics master to the call request of the first function
During the request of machine configuration protocol DHCP, sent the process path of the target program of call request by acquisition
Mode, determines whether target program is rogue program, and where it has, never call execution the first function,
So that the first function no longer sends release dhcp message to subsystem, it is achieved that rogue program is discharged
The interception of DHCP suspension, it is to avoid the rogue program destruction to security of system.Certainly, implement the present invention's
Arbitrary product or method must be not necessarily required to reach all the above advantage simultaneously.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
The first flow process signal of a kind of method intercepting release DHCP that Fig. 1 provides for the embodiment of the present invention
Figure;
The second flow process signal of a kind of method intercepting release DHCP that Fig. 2 provides for the embodiment of the present invention
Figure;
The third flow process signal of a kind of method intercepting release DHCP that Fig. 3 provides for the embodiment of the present invention
Figure;
4th kind of flow process signal of a kind of method intercepting release DHCP that Fig. 4 provides for the embodiment of the present invention
Figure;
The first structural representation of a kind of device intercepting release DHCP that Fig. 5 provides for the embodiment of the present invention
Figure;
The second structural representation of a kind of device intercepting release DHCP that Fig. 6 provides for the embodiment of the present invention
Figure.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, be fully described by, it is clear that described embodiment be only a part of embodiment of the present invention rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation
The every other embodiment obtained under property work premise, broadly falls into the scope of protection of the invention.
In order to solve prior art problem, embodiments provide a kind of method intercepting release DHCP
And device.
A kind of method intercepting release DHCP provided the embodiment of the present invention first below is introduced.
It should be noted that a kind of method intercepting release DHCP that the embodiment of the present invention is provided is applied to
Electronic equipment.In actual applications, this electronic equipment can be smart mobile phone, panel computer, notebook electricity
Brains etc., this is all rational.
It addition, the embodiment of the present invention provided a kind of intercept release DHCP method executive agent can be
A kind of device intercepting release DHCP, the device of this interception release DHCP can be independent client
Software, now, this independent client software can be avoided disliking by performing the provided method of the present embodiment
The release DHCP suspension of meaning program, or, the device of this interception release DHCP can be a certain client
Plug-in unit in software, now, performs the provided method of the present embodiment by this plug-in unit and makes this client software
It can be avoided that discharged DHCP suspension by rogue program.
As it is shown in figure 1, a kind of method intercepting release DHCP that the embodiment of the present invention provides, it is applied to electronics
Equipment, may include that
S101: when target program being detected to the call request of the first function, it is judged that whether call request is
By calling the request with releasing dynamic host configuration protocol DHCP of first function, if it is, perform step
S102, if it does not, do not process.
Wherein, the first function is for utilizing LPC to send the letter of message to the subsystem performing release DHCP
Number.
The most indivedual rogue programs can be by releasing dynamic host configuration protocol DHCP before doing malicious act
Mode by network disconnect.When rogue program is when discharging DHCP, can call and local process can be utilized to adjust
Send the first function of message to the subsystem performing release DHCP with LPC, this first function can be
NtrequestWaitReplyPort function, completes the release of DHCP by calling this first function.
Wherein, DHCP (Dynamic Host Configuration Protocol, DHCP)
Being the procotol of a LAN, use udp protocol work, it mainly has two purposes, a purposes
For automatically giving internal network or Internet service provider's distribution IP address, another purposes is can be to all services
Device manages, it is seen then that release DHCP can make software suspension.
Software includes multiple subsystem, and each subsystem performs different functions, LPC (Local Procedure
Call, LPC) communication between each subsystem in software, the basis of LPC is RPC
(Remote Procedure Call, remote procedure call), RPC is by operating in based on two on Unix
The communication between process on calculation machine.LPC leading between the process run on same computer
News, therefore, can send message to the subsystem in software by LPC.
Owing to the function of generic function has multiple, so asking detecting that the first function is called by target program
When asking, in addition it is also necessary to judge whether call request is by calling the first function with releasing dynamic host configuration protocol
The request of DHCP, then carries out different operations according to judged result.
S102: obtain the process path of target program.
In order to further determine that whether target program is rogue program, need to know the relevant letter of target program
By the relevant information of target program, breath, determines whether target program is rogue program.Typically can pass through
Obtain the mode of the process path of target program, find the position at target program place, thus obtain target journey
The data of sequence.
Therefore, judging that call request is as by calling the first function with releasing dynamic host configuration protocol
In the case of the request of DHCP, target can be judged by the way of obtaining the process path of target program
Whether program is rogue program.
S103: according to acquired process path, it is judged that whether target program is rogue program, if it is,
Perform step S104.
According to acquired process path, obtain the relevant information of target program, according to acquired target journey
The relevant information of sequence judges whether the target program sending call request is rogue program, and according to judging knot
Really, subsequent step is performed.
S104: never call execution the first function.
In order to prevent rogue program from carrying out suspension by the way of release DHCP, determining that target program is malice
During program, never calling execution the first function, the first function the most not may utilize LPC to performing release DHCP's
Subsystem sends message, thus, rogue program release DHCP failure, protects network and no longer disconnects.
In the embodiment of the present invention, detecting that target program is release dynamics master to the call request of the first function
During the request of machine configuration protocol DHCP, sent the process path of the target program of call request by acquisition
Mode, determines whether target program is rogue program, and where it has, never call execution the first function,
So that the first function no longer sends release dhcp message to subsystem, it is achieved that rogue program is discharged
The interception of DHCP suspension, it is to avoid the rogue program destruction to security of system.
On the basis of embodiment illustrated in fig. 1, as in figure 2 it is shown, a kind of interception that the embodiment of the present invention provides is released
The method putting DHCP, is applied to electronic equipment, it is also possible to including:
S105: when the judged result of S103 is no, calls execution the first function.
In the case of determining that target program is not for rogue program, call execution the first function, the first function profit
Send message with LPC to the subsystem performing release DHCP, thus complete the release of DHCP, now, net
Network disconnects.
Thus, in the case of determining that target program is not for rogue program, DHCP suspension can successfully be discharged.
Concrete, it is judged that whether call request is by calling the first function with releasing dynamic host configuration protocol
The request of DHCP, may include that
Judge in call request that whether the port handle of transmission is handle and the message count of transmission of DHCP port
According to whether being the field value about release DHCP, if it is, show that described call request is for by calling
State the request with releasing dynamic host configuration protocol DHCP of first function.
Wherein, port handle can be understood as port-mark, by judging that in call request, the port of transmission is
DHCP port, i.e. can be identified as sending message to DHCP port.Concrete, DHCP port entitled
" RPC Control dhcpcsvc ", can be obtained by ObReferenceObjectByName function call please
Seek the title of the port of middle transmission, when title and the title of DHCP port of the port transmitted in call request
During coupling, i.e. can be identified as sending message to DHCP port.
It is being defined as after DHCP port sends message, in addition it is also necessary to further determine that transmission in call request
Whether message data is the field value about release DHCP, if it is, i.e. can determine that this call request is logical
Cross the request calling described first function with releasing dynamic host configuration protocol DHCP.Concrete, will call
In request, the message data of the PPORT_MESSAGE structure type of transmission, is converted to by data
After PDHCP_MESSAGE type, obtain the MsgId field value of message data, if this field value is
DHCP_RELEASE_PORT_ID, i.e. can determine that the message that this message data is release DHCP.
Concrete, detect the target program call request to the first function according to hook mode.
When detection target program is to the call request of the first function, a Hook Function can be defined, at this
Planting in hook form, Hook Function does not have the son utilizing LPC LPC to execution release DHCP
System sends the function of message, so after judging in Hook Function whether target program is rogue program, hook
Whether subfunction needs to perform to continue to call the first function.
When the first function is NtRequestWaitReplyPort function, the process of concrete definition Hook Function
Can be: find the NtRequestWaitReplyPort function of system service descriptor table SSDT, preserve former
Beginning NtRequestWaitReplyPort function address, defines a NewNtRequestWaitReplyPort function
Replace original NtRequestWaitReplyPort function address, it is achieved that NewNtRequestWaitReplyPort
The hook of function, now, the Hook Function of definition is NewNtRequestWaitReplyPort.
Wherein, SSDT (System Services Descriptor Table, system service descriptor table) is used for
Core A PI of Win32API and ring0 of ring3 is connected so that the application layer of software and driving layer
Can be in communication with each other.Rogue program release is intercepted to by hook mode below by a specific embodiment
The method of DHCP is described in detail:
Such as: the first function is NtRequestWaitReplyPort function, Hook Function is
NewNtRequestWaitReplyPort function.
The process that DHCP is discharged by rogue program:
Rogue program has adjusted the orders such as the Ipconfig of system, and inner nuclear layer calls NtRequestWaitReplyPort
Function, NtRequestWaitReplyPort function call LPC sends to the subsystem performing release DHCP and disappears
Breath, thus completes the release of DHCP, and rogue program performs suspension success.
The process of interception rogue program release DHCP:
Rogue program has adjusted the orders such as the Ipconfig of system, and inner nuclear layer calls Hook Function
NewNtRequestWaitReplyPort, Hook Function NewNtRequestWaitReplyPort obtain malice journey
The process path of sequence, after being defined as rogue program, inner nuclear layer never calls NtRequestWaitReplyPort
Function, rogue program performs suspension failure.
Concrete, obtain the process path of target program, may include that
Call PsGetCurrentProcessId function and ZwQueryInformationProces function, obtain institute
State the process path of target program.
It should be noted that according to acquired process path, it is judged that whether target program is rogue program
Specific implementation exists multiple, carries out citing below and introduces.
In one implementation, as it is shown on figure 3, according to acquired process path, it is judged that target program
Whether it is rogue program (S103), may include that
S1031: acquired process path is sent to file killing engine.
Acquired process path is sent to file killing engine, and file killing engine can be according to this process
Path obtains the relevant information of target program, by by being analyzed the relevant information of target program, determining
Whether target program is rogue program.
S1032: receive the file killing engine type according to the target program of acquired process path feedback.
Receive the type of the target program of the determination of file killing engine feedback, wherein, at file killing engine
In, by the analysis of the relevant information to target program, it may be determined that the type of target program.
S1033: determine whether target program is rogue program according to the type of received target program.
Thus, by the way of acquired process path is sent to file killing engine, target journey is determined
Whether sequence is rogue program.
Concrete, determine whether target program is rogue program according to the type of received target program,
May include that
Whether the type of the target program received by judgement is unknown program type or dangerous Program Type;
If it is, determine that target program is rogue program.
Concrete, in file killing engine, by the analysis of the relevant information to target program, can be true
The type of the program that sets the goal is security procedure type, unknown program type or dangerous Program Type, when being received
To the type of target program be security procedure type time, determine that target program is not rogue program, when being connect
When the type of the target program received is unknown program type or dangerous Program Type, determine that target program is evil
Meaning program.
In another kind of implementation, as shown in Figure 4, according to acquired process path, it is judged that target journey
Whether sequence is rogue program (S103), may include that
S1034: according to acquired process path, calls GetFileInfoVersion function and obtains target program
Program source-information;
When judging whether a program is rogue program, it is also possible to by judging that the source-information of this program is
No safety determines, therefore, according to acquired process path, can find the position at target program place,
The program source-information of target program is obtained further by calling GetFileInfoVersion function.
S1035: determine whether target program is rogue program according to acquired program source-information.
If acquired program source-information safety, it is determined that target program is security procedure, if obtained
The program source-information taken is dangerous, it is determined that target program is rogue program.
Thus, by according to acquired process path, obtaining the mode of the program source-information of target program
Determine whether target program is rogue program.
Relative to said method embodiment, the embodiment of the present invention additionally provides a kind of dress intercepting release DHCP
Put, be applied to electronic equipment, as it is shown in figure 5, this device may include that
Request judge module 201, for when target program being detected to the call request of the first function, sentencing
Whether disconnected described call request is by calling described first function with releasing dynamic host configuration protocol DHCP
Request, wherein, described first function be for utilize LPC to perform release DHCP subsystem send
The function of message;
Process path acquisition module 202, for judging that described call request is as by calling described first letter
In the case of the number request with releasing dynamic host configuration protocol DHCP, obtain the process of described target program
Path;
Rogue program judge module 203, for according to acquired process path, it is judged that described target program
Whether it is rogue program;
First processing module 204, is used in the case of ought judging that described target program is rogue program, no
Call described first function of execution.
In the embodiment of the present invention, detecting that target program is release dynamics master to the call request of the first function
During the request of machine configuration protocol DHCP, sent the process path of the target program of call request by acquisition
Mode, determines whether target program is rogue program, and where it has, never call execution the first function,
So that the first function no longer sends release dhcp message to subsystem, it is achieved that rogue program is discharged
The interception of DHCP suspension, it is to avoid the rogue program destruction to security of system.
On the basis of device described in Fig. 5, as shown in Figure 6, a kind of interception that the embodiment of the present invention provides discharges
The device of DHCP, is applied to electronic equipment, it is also possible to including:
Second processing module 205, for when according to acquired process path, it is judged that described target program is not
In the case of being rogue program, call described first function of execution.
Concrete, described request judge module 201, can be specifically for:
When target program being detected to the call request of the first function, it is judged that transmission in described call request
Whether port handle is the handle of DHCP port and whether the message data of transmission is about release DHCP
Field value, if it is, show that described call request is for by calling described first function with releasing dynamic host
The request of configuration protocol DHCP, wherein, described first function is for being used for utilizing LPC to performing release DHCP
Subsystem send message function.
Concrete, detect the target program call request to the first function according to hook mode.
Concrete, described process path acquisition module 202, can be specifically for:
Judging that described call request is as by calling described first function with releasing dynamic host configuration protocol
In the case of the request of DHCP, call PsGetCurrentProcessId function and
ZwQueryInformationProces function, obtains the process path of described target program.
Concrete, described rogue program judge module 203, may include that
Transmitting element, for being sent to file killing engine by acquired process path;
Receive unit, for receiving the file killing engine target program according to acquired process path feedback
Type;
First determines unit, for determining that described target program is according to the type of received target program
No for rogue program.
Concrete, described first determines unit, can be specifically for:
Whether the type of the target program received by judgement is unknown program type or dangerous Program Type;
If it is, determine that described target program is rogue program.
Concrete, described rogue program judge module 203, may include that
Source-information acquiring unit, for according to acquired process path, calls GetFileInfoVersion
Function obtains the program source-information of target program;
Second determines unit, for determining that whether described target program is according to acquired program source-information
Rogue program.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, phase homophase between each embodiment
As part see mutually, what each embodiment stressed is different from other embodiments it
Place.For system embodiment, owing to it is substantially similar to embodiment of the method, so describe
Fairly simple, relevant part sees the part of embodiment of the method and illustrates.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the protection model of the present invention
Enclose.All any modification, equivalent substitution and improvement etc. made within the spirit and principles in the present invention, all wrap
Containing within the scope of the present invention.
Claims (10)
1. the method intercepting release DHCP, it is characterised in that described method includes:
When target program being detected to the call request of the first function, it is judged that whether described call request is logical
Cross the request calling described first function with releasing dynamic host configuration protocol DHCP, wherein, described first
Function is for utilizing LPC LPC to send the letter of message to the subsystem performing release DHCP
Number;
When judged result is for being, obtain the process path of described target program;
According to acquired process path, it is judged that whether described target program is rogue program;
When judged result is for being, never call described first function of execution.
Method the most according to claim 1, it is characterised in that the process path acquired in described basis,
After judging whether described target program is rogue program, described method also includes:
When judged result is no, call described first function of execution.
Method the most according to claim 1, it is characterised in that described whether judge described call request
For by calling the request with releasing dynamic host configuration protocol DHCP of described first function, including:
Judge in described call request, whether the port handle of transmission is the handle of DHCP port and disappearing of transmission
Whether breath data are the field value about release DHCP, if it is, show that described call request is for by adjusting
With described first function with the request of releasing dynamic host configuration protocol DHCP.
Method the most according to claim 1, it is characterised in that detect target program according to hook mode
Call request to the first function.
Method the most according to claim 1, it is characterised in that entering of the described target program of described acquisition
Journey path, including:
Call PsGetCurrentProcessId function and ZwQueryInformationProces function, obtain institute
State the process path of target program.
Method the most according to claim 1, it is characterised in that the process path acquired in described basis,
Judge whether described target program is rogue program, including:
Acquired process path is sent to file killing engine;
Receive the file killing engine type according to the target program of acquired process path feedback;
Type according to received target program determines whether described target program is rogue program.
Method the most according to claim 6, it is characterised in that the target journey received by described basis
The type of sequence determines whether described target program is rogue program, including:
Whether the type of the target program received by judgement is unknown program type or dangerous Program Type;
If it is, determine that described target program is rogue program.
Method the most according to claim 1, it is characterised in that the process path acquired in described basis,
Judge whether described target program is rogue program, including:
According to acquired process path, call GetFileInfoVersion function and obtain the program of target program
Source-information;
Determine whether described target program is rogue program according to acquired program source-information.
9. the device intercepting release DHCP, it is characterised in that described device includes:
Request judge module, for when detecting target program to the call request of the first function, it is judged that institute
State whether call request is by calling described first function asking with releasing dynamic host configuration protocol DHCP
Asking, wherein, described first function is for utilizing LPC LPC to the son performing release DHCP
System sends the function of message;
Process path acquisition module, for judge described call request as by call described first function with
In the case of the request of releasing dynamic host configuration protocol DHCP, obtain the process path of described target program;
Rogue program judge module, for according to acquired process path, it is judged that whether described target program
For rogue program;
First processing module, in the case of judging that described target program is rogue program, never calling
Perform described first function.
Device the most according to claim 9, it is characterised in that described device also includes:
Second processing module, for when according to acquired process path, it is judged that described target program is not to dislike
In the case of meaning program, call described first function of execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610247825.2A CN105868632B (en) | 2016-04-20 | 2016-04-20 | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610247825.2A CN105868632B (en) | 2016-04-20 | 2016-04-20 | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105868632A true CN105868632A (en) | 2016-08-17 |
| CN105868632B CN105868632B (en) | 2018-11-16 |
Family
ID=56632462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610247825.2A Active CN105868632B (en) | 2016-04-20 | 2016-04-20 | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105868632B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105912933A (en) * | 2016-04-27 | 2016-08-31 | 北京金山安全软件有限公司 | Method and device for processing network disconnection instruction and electronic equipment |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
| CN112769824A (en) * | 2021-01-07 | 2021-05-07 | 深圳市大富网络技术有限公司 | Information transmission state updating method, terminal, device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110113482A1 (en) * | 2002-10-25 | 2011-05-12 | Marco Foschiano | Method And Apparatus For Automatic Filter Generation And Maintenance |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN102868694A (en) * | 2012-09-17 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting whether to control client to visit network |
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| CN103988534A (en) * | 2011-12-12 | 2014-08-13 | 瑞典爱立信有限公司 | Method for detection of persistent malware on a network node |
-
2016
- 2016-04-20 CN CN201610247825.2A patent/CN105868632B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110113482A1 (en) * | 2002-10-25 | 2011-05-12 | Marco Foschiano | Method And Apparatus For Automatic Filter Generation And Maintenance |
| CN103988534A (en) * | 2011-12-12 | 2014-08-13 | 瑞典爱立信有限公司 | Method for detection of persistent malware on a network node |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN102868694A (en) * | 2012-09-17 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting whether to control client to visit network |
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
Non-Patent Citations (1)
| Title |
|---|
| 孟令健: "计算机网络安全ARP攻击行为的防范研究", 《齐齐哈尔大学学报(自然科学版)》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105912933A (en) * | 2016-04-27 | 2016-08-31 | 北京金山安全软件有限公司 | Method and device for processing network disconnection instruction and electronic equipment |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
| CN112769824A (en) * | 2021-01-07 | 2021-05-07 | 深圳市大富网络技术有限公司 | Information transmission state updating method, terminal, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105868632B (en) | 2018-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9848016B2 (en) | Identifying malicious devices within a computer network | |
| CN106411562B (en) | Electric power information network safety linkage defense method and system | |
| TWI678616B (en) | File detection method, device and system | |
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| US8443446B2 (en) | Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| KR20060013491A (en) | Network attack signature generation | |
| CN105447388B (en) | A kind of Android malicious code detection system based on weight and method | |
| CN106790291A (en) | A kind of intrusion detection reminding method and device | |
| CN108616429A (en) | A kind of reconnection method and equipment of Push Service | |
| CN101657793A (en) | Method, system and computer program for configuring firewalls | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| KR20120136126A (en) | Method and apparatus for treating malicious action in mobile terminal | |
| CN103975331B (en) | It is incorporated with the safe data center's infrastructure management system for being managed infrastructure equipment | |
| CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
| CN105868632A (en) | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) | |
| CN109165508A (en) | A kind of external device access safety control system and its control method | |
| CN111783092B (en) | Malicious attack detection method and system for communication mechanism between Android applications | |
| CN113382076A (en) | Internet of things terminal security threat analysis method and protection method | |
| WO2017193845A1 (en) | Method and device for auditing virtual network function | |
| WO2003021402A2 (en) | Network security | |
| WO2020057156A1 (en) | Safety management method and safety management device | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| CN105868634A (en) | Interception method and device | |
| KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181214 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TR01 | Transfer of patent right |